A California-based insurer that inadvertently left tens of millions of private customer records open to the internet has become the first company to be charged by New York's Department of Financial Services (DFS) for cybersecurity rule violations.
The Empire State's financial regulator said First American Title Insurance was so negligent with securing its data, it broke state laws on the protection of non-public information (NPI). In April 2018, the insurer's systems housed 753 million documents, 65 million of which had been tagged as including non-public info. In May 2019, it contained more than 850 million records total. All were available to find via the web for four years due to a security vulnerability.
And despite knowing of this flaw in its software for six months, the biz did nothing to fix the problem, according to the DFS. It could be fined $1,000 per NPI infringement.
"For more than four years, First American Title Insurance Company exposed tens of millions of documents that contained consumers’ sensitive personal information including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images," the DFS charged [PDF].
"From at least October 2014 through May 2019, due to a known vulnerability on [First American's] public-facing website, these records were available to anyone with a web browser."
The filing is the first cybersecurity charge to be brought by the DFS, the state agency that oversees the largest financial center in the world. Though First American lists its headquarters as Santa Ana in California, it, like virtually every other sizable financial company in the nation, does much of its business in New York.
US insurers face SEC probe over web-access bungle that exposed 'up to 885 million' filesREAD MORE
The exposed documents were stored in First American Title Insurance's FAST: a database responsible for holding hundreds of millions of scans of customers' official documents for things like mortgage filings. It is said that in 2014, a vulnerability was accidentally introduced to EaglePro, which is First American's web-based software that shares documents via email from FAST with customers.
That flaw that could be exploited to view any image in the system: documents sent via EaglePro were displayed from a URL that had a ImageDocumentID parameter that could be changed to any other value to pull up other people's paperwork with no authorization checks performed.
So if your scan had an ImageDocumentID of 1234, and you changed it to 1235 and fetched that, you'd view whichever document had that ID number even if it belonged to someone else. These files, it appears, were also indexed by web search engines, allowing anyone to find them with the right query terms. And the ID numbers were sequentially assigned, so you could crawl through the whole database if you wanted to.
That bug went unnoticed until December 2018, when a security audit by the insurer's Cyber Defense Team uncovered the hole, and it was reported to the EaglePro development team. The programmers then passed the information up the chain with the recommendation that the flaw be addressed.
"Among the key findings in the Cyber Defense Team's report was the following warning: 'using standard internet search methods we were able to bypass authentication to retrieve documents that were found using Google searches'," the DFS charged. "The Cyber Defense Team reviewed 10 documents exposed by the vulnerability, and, although none contained NPI, the Cyber Defense Team strongly recommended that the application team investigate further and determine whether sensitive documents were exposed."
Despite these warnings, First American top brass allegedly dragged their feet on doing anything about the bug. There was no follow-up investigation, and the issue was downplayed as not being a serious risk, with patching duties being assigned to a junior-level employee with little experience in security matters, we're told.
"To this day, the sole control preventing EaglePro from being used to transmit NPI is merely an instruction to users not to send NPI," the DFS claimed. The department has charged First American with six violations of the state's Code of Rules and Regulations related to the protection of data, monitoring access, risk assessment, and training of employees.
A spokesperson for the insurer told us:
First American strongly disagrees with the New York Department of Financial Services’ charges relating to a limited cybersecurity incident from May 2019. As we reported in July 2019, our investigation into the incident, conducted with an outside forensics firm, identified a very limited number of consumers whose non-public personal information likely was accessed without authorization and otherwise found no evidence of misuse of any non-public personal information. None of these identified consumers were New York residents.
In March, the Nebraska Department of Insurance, the primary regulator of our title insurance company, led an examination of First American’s information security program as of June 30, 2019 and our response to the information security incident. The resulting report [PDF] concluded that our “IT general controls environment is suitably designed and is operating effectively,” that we “adequately and appropriately detected, analyzed, contained, eradicated and recovered from the security incident” and that we are in compliance with New York’s cybersecurity requirements for financial services companies.
First American is also subject to an SEC investigation over the mishap. ®